Security policies can be tricky to navigate with constantly changing technology, but when developing a cloud program, it’s vital for agencies to continually update those policies, according to Federal leaders.
“Frankly, a lot of the security policies really have not kept up with the speed of innovation,” the Department of State’s Director of the Cloud Program Management Office, Brian Merrick said during an FCW cloud security event on Jan. 27. “It’s hard. It takes a lot of time to actually work through those policy issues, and make sure that all the stakeholders’ equities are properly aligned as this technology is constantly changing.”
When developing State’s cloud security strategy, Merrick said the main goal was “trying to reduce risk by leveraging enterprise platforms.” However, in doing so Merrick found that security policies needed to be updated along the way.
By working with security professionals and bringing them into the process during the initial program planning stages, Merrick said security policies were able to accommodate new technologies more easily.
“We’re really trying to get at the spirit of the compliance requirement, versus the letter of the law,” Merrick said. “Because frankly, a lot of this stuff just works differently, physically, than it did when those policies were put in place originally, but the intent is still the same.”
Speaking at the same event, Danielle Metz, acting deputy CIO for Information Enterprise at the Department of Defense’s (DoD) Office of the DoD Chief Information Officer, added that CIOs should “serve as a facilitator” to development teams in order to get key policies implemented.
“They don’t need us to tell them what tools the pipeline needs to look like,” Metz said. “What they do need is our help making sure that there aren’t policy obstacles in the way, as they try and do this work.”